CRA-ready, before the deadline
The CRA enters full enforcement on 11 December 2027. Vulnerability reporting obligations begin 11 September 2026. SBOMVault.ai gives you every artifact the conformity assessment requires — and automates the 24-hour ENISA notification path.
The challenges we hear
Article 6 essential cybersecurity requirements
Annex I requires "secure by default" configurations, secure update mechanisms, vulnerability handling, and integrity protection — proven during conformity assessment.
Article 13 vulnerability handling
Manufacturers must operate a documented vulnerability handling process: identify, fix, distribute updates, and document remediation throughout the support period.
Article 14 reporting obligations
Actively exploited vulnerabilities and severe incidents must be reported to ENISA within 24 hours of awareness, with intermediate updates and a final report.
Annex II technical documentation
Five-year-minimum retention of an SBOM in a "commonly used and machine-readable format" (CycloneDX, SPDX, or SWID — all three supported) covering at least the top-level dependencies.
CE marking under Article 28
You cannot place a product with digital elements on the EU market without a CE conformity declaration referencing the cybersecurity assessment.
Coordinated vulnerability disclosure
A documented CVD policy is required, with clearly named contacts, public reporting channels, and a process for handling responsibly-disclosed reports.
How SBOMVault helps
01
CRA conformity dashboard
Live status board with KEV-flagged reporting queue, recent ENISA submissions, products in CRA scope, and timeline countdowns to both reporting (Sept 2026) and full enforcement (Dec 2027).
02
Six conformity PDFs from real data
EU Declaration of Conformity (Article 28, Annex V), Annex II technical docs, Annex VII conformity assessment, Article 13 vulnerability handling register, CVD policy, and Article 14 reporting log — all populated from your SBOM inventory, vuln records, and audit log.
03
Annex I §1+§2 checklist per product
15 essential requirements with status (compliant / partial / non-compliant / N/A), evidence references, and free-text notes. Values flow into the Annex VII export — no more placeholder bullets.
04
Article 14 submission workflow
Record early-warning (24h), intermediate (72h), and final (14d) submissions with auto-generated snapshot PDFs. Every submission emails the snapshot to your CVD contact plus an optional distribution list (legal, CISO, comms).
05
Active-exploitation reporting queue
Article 14 queue auto-populates from CISA KEV matches against your inventory. Each row carries a Submit-to-ENISA button that records the submission + emails the PDF + writes the audit trail.
06
Automated vulnerability handling
Article 13-aligned workflow: OSV.dev detection → VaultScore triage → VEX disposition → audit log. Every step recorded as evidence.
07
Coordinated vulnerability disclosure
CVD contact email, PGP fingerprint, and security.txt URL captured at the org level and embedded in every conformity export and the rendered CVD policy PDF.
08
Support-period alerts
Daily cron warns 60 days ahead of any product's declared support-period end. Per-product alerts in-app + batched email per org (dedup'd to one per 30 days). Article 13(8) compliance.
09
CRA classification per product
Toggle each product into CRA scope and pick its classification (default / Important Class I / Class II / Critical). Drives Annex VIII module selection in the conformity exports.
10
EU representative + manufacturer fields
Org-level capture of EU registered address and authorised representative — embedded directly in EU DoC and Annex VII PDFs.
11
Two-factor authentication
TOTP-based 2FA, backup codes, and self-service password reset — meeting baseline auth controls auditors increasingly expect for security-critical platforms.
12
Article 28 EU Declaration of Conformity
Generates the 8-section DoC referencing the CRA conformity assessment, applied harmonised standards, and the manufacturer's SBOM evidence trail.
< 24 hr
from active-exploitation detection to ENISA notification draft, with CISO signoff workflow
60%
reduction in conformity assessment preparation time
5+ yr
guaranteed retention of SBOMs and Annex II technical documentation
“We were staring at the September 2026 reporting deadline and a 250-product portfolio. SBOMVault.ai turned the CRA from a dedicated team of consultants into a configuration project.”
VP, Product Security · European industrial automation manufacturer